- From: vans163 via GitHub <sysbot+gh@w3.org>
- Date: Sat, 10 Dec 2022 14:50:05 +0000
- To: public-webauthn@w3.org
Stumbled onto this problem just now and wondering the same thing. For an organization its useful to be able to have a single key/identity given to a participant in that organization to give access to endpoints, similar to single sign on solutions offered by apple or google. 1. IFrame does not work across combinations of Safari/Apple devices. 2. Easy to track, already we are tracked from just the way we type our sentences. "Easy to track" So not easy to track should not be considered good security due to obfuscation. Already the website will have our IP address we connected from, and metadata on us, also if we use a email during registration or a name, we probably have to give credit card information on the website etc. Its moot. There should be an option to generate new keypair OR use the same identity. And it would be up to the client. Too much is lost by generating a new one each time in terms of security from the organization, and in terms of carrying your reputation over. 3. Phishing attacks point is moot. An impersonation website got you to sign a message, but that message does not have to be arbitrary, for example as mentioned it could include the domain/domains/identity of who the signature is for. Thus a token signed on imposer.com would not be validated on realsite.com. (Obviously the client side inserts the extra data into the blob to be signed) To elaborate. Case A Identity based (non-domain usecase) realsite.com - Identity ed25519:7emAPGY2AhFz4DpCr7mQonyztttCNDZX3dEgBZnGZKE8 imposter.com - Identity ed22219:EnPujttyRRVhRmmErWNNTw8QoBGgXVmWkFAvnXN882pN I connect to imposter.com and then ask for its identity + present a challenge. imposter.com signed my challenger and proves they are 7emAPGY2AhFz4DpCr7mQonyztttCNDZX3dEgBZnGZKE8. I then proceed to auth with imposter.com identity embedded into my credential, 7emAPGY2AhFz4DpCr7mQonyztttCNDZX3dEgBZnGZKE8. I sign and give it to imposter.com imposter.com is now HAHAHAH what a sucker, il login to realsite.com now. imposter.com goes to realsite with the credential and realsite.com says, SORRY this credential was signed for 7emAPGY2AhFz4DpCr7mQonyztttCNDZX3dEgBZnGZKE8 but we are EnPujttyRRVhRmmErWNNTw8QoBGgXVmWkFAvnXN882pN, please sign a new credential specifically for us. Case B Domain based. Same thing as above but replace the identity with the domain in the URL bar. -- GitHub Notification of comment by vans163 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1827#issuecomment-1345280408 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 10 December 2022 14:50:07 UTC